Date: Wed, 21 Jun 2000 16:50:09 EDT From: "Jennifer Ulrich" <pixie_styxx@hotmail.com> To: freebsd-ipfw@FreeBSD.ORG Subject: allowing passive ftp through ipfw Message-ID: <20000621205009.74341.qmail@hotmail.com>
next in thread | raw e-mail | index | archive | help
Hello all! I have a FreeBSD 3.4 box which runs ipfw, that is firewalling for a publicly reachable lan of servers, including FTP servers. When I set up the machine, I made the FTP servers reachable by adding a rule for: ipfw add 1400 pass all from x.x.x.x/x to any ipfw add 2300 pass tcp from any to x.x.x.x 21 (x.x.x.x 21 being the address of the ftp server and a default rule allowing anything from my internal lan out through the firewall) I initially had some problems with clients on the lan not being able to establish FTP connections outbound, so I added this rule : ipfw 2300 pass tcp from any to x.x.x.x/x established With these two rules in place, FTP was a happy camper. Users could connect from outside of the network to specific FTP servers, and users inside the network could connect to any FTP server on the internet. Everything ran smoothly until someone from the internet tried to connect to the internal FTP server with Netscape. Apparently, when Netscape opens a FTP connection, it does so by sending a PASV (instead of PORT) command. Basically as I understand it, in passive mode, the server passively sets the port and passes that information to the client. It is then up to the client to actively open the ftp connection on that specified port. So instead of the ftp connection coming in with a destination of 21, it comes in on some predetermined but random high port. (which is why my ruleset denies the connection.) So how do I get passive FTP to work? I certainly would rather not punch a hole in the firewall to allow all traffic destined to the higher ports through to my FTP server. Is there another way to do accomplish this that is a bit more secure? Anyone's thoughts and suggestions regarding this matter, are most appreciated! ~jenn ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000621205009.74341.qmail>